CVE-2013-0764

The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers to execute arbitrary code via crafted data, as demonstrated by e-mail message data.

Weakness

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Affected Software

Name	Vendor	Start Version	End Version
Firefox	Mozilla	*	19.0 (excluding)
Firefox_esr	Mozilla	*	17.0.3 (excluding)
Seamonkey	Mozilla	*	2.16 (excluding)
Thunderbird	Mozilla	*	17.0.3 (excluding)
Thunderbird_esr	Mozilla	*	17.0.3 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/112.html
https://cwe.mitre.org/data/definitions/192.html
https://cwe.mitre.org/data/definitions/20.html

References

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html
http://www.mozilla.org/security/announce/2013/mfsa2013-07.html
http://www.ubuntu.com/usn/USN-1681-1
http://www.ubuntu.com/usn/USN-1681-2
http://www.ubuntu.com/usn/USN-1681-4
https://bugzilla.mozilla.org/show_bug.cgi?id=804237
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16715

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-0764
CWE	https://cwe.mitre.org/data/definitions/326.html

Inadequate Encryption Strength

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References